Latest Bot Targets Hadoop Clusters

Hadoop clusters are under siege by a recently discovered malware threat designed to take over cloud-based servers as a platform for launching distributed denial-of-service attacks.

The malware dubbed DemonBot was reported in a blog post last week by datacenter cybersecurity vendor Radware. The company (NASDAQ: RDWR) said the malware targets misconfigured Hadoop YARN remote command execution to infect unsecured Hadoop clusters.

Radware characterized DemonBot as “unsophisticated” in that it spreads only among central Hadoop servers and lacks the punch of the more pervasive Marai botnet that targeted Internet of Things and other connected devices. Radware previously uncovered a Marai variant called Brickerbot that corrupts device storage while reconfiguring kernel settings.

“Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of [distributed denial-of-service] traffic compared to IoT devices,” the malware tracker said.

Tel Aviv-based Radware said last week it is currently monitoring 70 exploited Hadoop servers that are spreading DemonBot. Those servers are collectively executing more than 1 million exploits daily, the security firm said. “DemonBot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles,” it added.

Radware has been tracking attempts to exploit an unauthenticated Hadoop YARN remote command execution used to infect unsecured Hadoop clusters with the DemonBot malware. The exploits began ramping up in September and have since reached more than 1 million attempts per day during October.

Security experts note that the YARN exploit first surfaced last year, targeting both Linux and Windows machines. At the low end of the threat scale, the infection degrades service by diverting computing resources and may also cause outages, they note.

The new exploit coincides with major disruptions in the Hadoop market, most notably the merger of Hadoop specialists Cloudera (NYSE: CLDR) and Hortonworks (NASDAQ: HDP). The merger has accelerated Hadoop’s push to the cloud, including greater support for Docker containers running on YARN in the latest version of Hadoop.

Both Cloudera and Hortonworks were working towards supporting Kubernetes cluster orchestrators with their Hadoop distributions before their merger announcement. The goal is to replace YARN with Kubernetes as a resource management framework for clusters. That move would presumably address the latest Hadoop security threat from DemonBot malware.